Laws and regulations on data protection and privacy are constantly evolving. Strelia’s Employment & Benefits Practice will share its insights into this subject with you through its Data Protection & Privacy at the Workplace Series. With this, we hope to keep your company at the forefront of the most important legal developments on this topic.
In this edition of our Series, we analyze Decision no. 40/2023 of April 3, 2023 rendered by the Belgian Data Protection Authority (DPA). The DPA answers the question whether a former employee could access his personal data that can be found on a work mailbox, which the employee had used when he was working for his former employer.
Facts
Plaintiff was a workshop manager at a company, his former employer. For his work, he used an e-mail address that the company had created for him and that referred to his particular position (so-called functional e-mail address). The plaintiff used this functional e-mail address for at least 8 years, which he also used for private purposes throughout his employment. The company had no ICT policy in place.
After his employment contract ended, plaintiff asked his former employer if he could access some of his personal data, which could be found in this functional e-mail address and in the work mailbox. He sought copies of various documents concerning his personal file, the communication of all his personal data processed by the former employer and access to private e-mails. The former employer told the plaintiff that it had changed the logins to the functional e-mail address. It also denied him access because, according to the company, a functional e-mail address is not personal at all and therefore could not constitute personal data.
After the plaintiff filed a complaint about the former employer’s decision to deny him access to his personal data, the parties decided to settle the dispute before the DPA.
DPA’s Decision
The DPA first analyzed whether the functional e-mail address and the data therein constitute personal data. Then, it assessed the plaintiff’s request (or rather, the plaintiff’s right) to access that data, as well as the data on the work mailbox.
Regarding the personal nature of the functional e-mail address, the DPA first referred to the statutory definition of personal data. For data to be considered personal, it must relate to a natural person who must be identified or identifiable. In the case here, the functional e-mail address in question is linked to a department at the former employer company and not to an individual. The second question is, despite that this is a functional e-mail address, whether it is possible to identify the natural person using it.
The DPA noted that the employee was the only user of the e-mail address for a certain period. Even though the intention of using a functional e-mail address was not to have it associated with any particular employee, the employee using it could still be identified indirectly. Consequently, the functional e-mail address that was being used for that certain period constituted personal data.
However, for the period during which other employees, e.g., the other workshop manager, also used this e-mail address during that same period, the plaintiff was no longer indirectly identifiable, hence the e-mail address would no longer constitute personal data.
Furthermore, the DPA emphasized that the fact that even if an e-mail address is not considered personal data, this does not mean that the mailbox cannot contain personal data. It therefore held that the plaintiff’s request to access the mailbox was made in accordance with the GDPR. Indeed, regarding the right to access the mailbox, the DPA emphasized that the plaintiff’s reason for the request is irrelevant. Plaintiff was thus entitled to request access to the mailbox even though the e-mail address would not be considered personal data.
However, the DPA confirmed that this right of access is not absolute and must be balanced with the interests of each party. In fact, the right of access can be denied if the reason for the request is manifestly unfounded or excessive and if denying access is justified. In the case at hand, the former employer did not even bother justifying its denial.
The DPA observed that searching for all the e-mails containing personnel data relating to the plaintiff (over an 8-year period) would represent a disproportionate workload, but the DPA also noted that the former employer failed to demonstrate the excessive nature of the request when it had informed the plaintiff of its denial. For the latter reason, the DPA held that the former employer violated the GDPR, and it reprimanded the company.
-----------
Key takeaways for employers
- Having a clear policy prohibiting the use of the work e-mail address for private purposes is recommended.
- Depending on the circumstances of each case, a functional e-mail address can be considered personal data if it is not used by several people.
- A functional e-mail address that is being used by several people will not be considered personal data, but this does not preclude the mailbox from containing personal data.
- A former employee’s right of access to personal data in a mailbox is not absolute. The employer may deny access to the mailbox in question if the employer justifies its denial and demonstrates that the employee's request to access is manifestly excessive or unfounded.
-----------
Stefanie Tack
Julie Brohée